Date: Fri, 22 Mar 1996 14:15:35 -0500 (EST)
From: ptownson@massis.lcs.mit.edu (Patrick A. Townson)
Subject: Encrypted Communications Privacy Act
Attached for your review over the weekend is a submission I have been
a little derelict in getting out. I meant to work on it a few days ago
but it got shoved aside. My thanks to Rich Szabo for passing it along,
and I imagine he will appreciate your thoughts on it as will the
Voters Telecommunications Watch. There is no connection between this
Digest and VTW; this is being passed along FYI to you.
PAT
From: Rich Szabo
Subject: Encrypted Communications Privacy Act
This document analyzes a bill that would address telecom privacy
issues.
Please note that I am not connected to VTW nor do I speak for them.
Rich Szabo rszabo@apk.net
__ _________ __
\ \ / /_ _\ \ / / Voters Telecommunications Watch (VTW)
\ \ / / | | \ \ /\ / / (We're not the EFF)
\ V / | | \ V V / URL:http://www.vtw.org/
\_/ |_| \_/\_/ Mar 5, 1996 (expires Apr 5, 1996)
SEN. LEAHY (D-VT) AND REP. GOODLATTE (R-VA) INTRODUCE
"ENCRYPTED COMMUNICATIONS PRIVACY ACT"
TO THWART CLINTON ADMINISTRATION'S FLAWED CLIPPER PLAN
Please widely redistribute this document with this banner intact
CONTENTS
The Latest News
Analysis of Leahy bill
What You Can Do Now
Chronology of Leahy bill
Press Contact Information
A few questions and answers
Our policy on financial donations
THE LATEST NEWS
In the opening round of what promises to be a no-holds-barred fight
with the Clinton Administration and the Intelligence community over
cryptography policy, Senator Patrick Leahy (D-VT) and Representative
Robert Goodlatte (R-VA) presented bills today that intend to:
-decontrol the export restrictions on mass-market and publicly
available software such as Phil Zimmerman's "Pretty Good Privacy"
(PGP),
-affirm Americans' right to use cryptography of their own choosing,
-affirm Americans' right to *not* use key escrow systems,
-make it a crime for an authorized key escrow agent to disclose a
key recklessly or intentionally, and
-create a crime of using cryptography while committing a felony
for the express purpose of thwarting an investigation.
The topic of cryptography exports is crucial to the continued growth
and security of the Internet and online commerce. The success of the
information economy in many cases hinges on the ability to employ
strong encryption techniques to protect confidential data.
The two bills come at a crucial time after the Clinton Administration
has put forth two flawed encryption proposals, Clipper and Son of
Clipper. A third plan, this time in the form of legislation, is in the
works if one is to believe the rumors in the press. So far the only
reason the Clinton Administration's flawed "Clipper" plans have been
paid any attention to at all is because they offer relaxed export
controls in return for storing your keys with government agencies or
quasi-government agencies. The best part of the Leahy bill, though, is
that you can use the encryption export provisions without ever thinking
about using escrow.
Leahy's bill will ensure that few consumers, if any, ever consider another
Clinton-mandated encryption scheme ever again.
The Leahy/Goodlatte bill allows the export of most of the cryptographic
products you and I would would like to use, without any of the Clipper
requirements. Without the lure of relaxed export for "Clippered"
products, nobody will pay attention to Clipper products. This will
surely be the deadly blow to all present and future "Clipper" plans
that rely on the Clinton Administration's strongarm export policy
tactics.
A new Clinton proposal on encryption is rumored to be in the works.
However, judging from the way they've bungled the first two proposals,
VTW believes the newest Clinton proposal will be created with a similar
process, with little regard for the concerns of business, industry and
the public.
One thing is certain; there will be movement on encryption policy this
year. It may be legislative or it may be regulatory; we're in a far
better position driving legislation we endorse, rather than lobbing
bombs at legislation being driven past us.
VTW believes this legislation is an excellent initiative. We have long
advocated the decontrol of cryptography export laws based on the
following principles:
-The public and businesses have the right to use the strongest
cryptographic products they (not the government) feel are necessary
to ensure the confidentiality of their private communications.
-The public and businesses should never be compelled to use software
with escrow functionality, escrow agents, nor escrow agents that
do not have the public's confidence.
-If the public and business should choose to use escrow agents,
the agents' primary responsibility should be to key owners, not to
law enforcement. They should be mostly unregulated, and in an
ideal world, there should be hundreds, if not thousands to choose
from.
-Current export controls are outdated, don't work, are threatening
to worsen the problem of security of the Internet, and are
damaging the competitiveness of US companies in the global
marketplace.
The way Leahy/Goodlatte addresses export of cryptography is consistent
with our principles. VTW will keep you informed of its progress. As
anyone familiar with the legislative process knows, a bill rarely ever
looks the same at the end of the process as it did at the beginning.
This bill is good for the Internet, and we intend to monitor it like
the watchdogs you expect us to be, to ensure that it does not
significantly deviate from the basic principles outlined above.
In doing this, it will be crucial for the Internet community to speak
up. Big business will weigh in on this bill to protect their rights to
sell products with encryption in them. However nobody will speak up
for your right to have a private conversation except you.
We're counting on you to find that voice, and use it over the next few
months to ensure that your present right to use encryption *of your
choice* isn't amended out of the bill. There are some powerful forces
out there that will be lobbying heavily on this legislation. The White
house is rumored to have their bill ready. The law enforcement and
intelligence communities, who would rather you couldn't use strong
encryption, will be employing their usual scare tactics. Worst of all,
the Clinton Administration, particularly Vice President Al Gore, who
should be a voice of reason for these issues, will, if the example of
Clipper and Son of Clipper is any indication, pander to law enforcement
and the anti-crime vote in an election year.
We predict that the White House will do everything in their power to
prevent Senator Leahy from liberating PGP. He will need your help to
push forward.
Over the next few months, VTW will be coordinating a coalition of
names, many of which are already familiar to you. This coalition will
ask you to call and write to Congress, expressing your opinion, and
threatening to back it up with the ultimate legitimate weapon of
democracy, your vote in this election year.
We're counting on you; we know you're up to it.
We urge you to visit our homepage at http://www.vtw.org/, where we'll
keep you updated on current events involving the bill. If you haven't
already, you may want to subscribe to our vtw-announce list, no
discussion, low-volume email messages that will keep you updated
directly as we issue alerts and newsletters. In the wake of the
Telecomm Bill protests, over 3,000 of you have subscribed in less than
a month. Use the one-line form on our home page.
P.S. We don't count our WWW page hits; we have better things to do.
________________________________________________________________________
ANALYSIS OF ENCRYPTED COMMUNICATIONS PRIVACY ACT
The Leahy and Goodlatte bills are not exactly alike. For the moment,
we will concentrate on the Leahy bill for purposes of analysis. We
find it to be fleshed out in many areas.
AFFIRMS OUR RIGHT TO USE CRYPTOGRAPHY OF OWN CHOOSING
The bill affirms that "Americans should be free lawfully to use
whatever particular encryption techniques, technologies, programs, or
products developed in the marketplace they desire in order to interact
electronically worldwide in a secure, private, and confidential
manner". The bill also affirms our right to use cryptographic products
that do not have key escrow functions in them, or to choose not to use
such functions. If we do choose to use escrow holders, the bill
affirms our right to use key holders of our own choosing.
DEREGULATION OF PUBLICLY-AVAILABLE CRYPTOGRAPHIC TECHNOLOGY
The bill addresses the "PGP problem" by making software that is
"generally available", "publicly available", or "public domain"
exportable with NO LICENSE REQUIRED, unless it is "specifically
designed for military use".
CREATES CRIMINAL PENALTIES FOR MALICIOUS KEY HOLDERS
If I designate a local business to be my key holder, it is important
that they take that responsibility seriously. The bill creates
criminal penalties for key holders that behave recklessly with my
decryption keys.
Recently the Administration suggested that such individuals must be
licensed by the US Government, and in some cases, be required to
possess security clearances. This would make them little more than
puppets of law enforcement. The bill creates criminal penalties with
monetary fines if a key holder releases a key recklessly or
inappropriately. Reasonable rules for an escrow agents conduct are
described in the bill. These are discussed further below.
RAISES THE STANDARD FOR A COURT TO OBTAIN YOUR DECRYPTION KEY
Currently a court needs to only issue a simple search warrant to obtain
a copy of your key for decryption of your communications. This bill
raises the requirement to be equivalent to that of a court-ordered
wiretap.
ENCOURAGES KEY HOLDERS TO SERVE THE INTERESTS OF KEY OWNERS WHEN
PRESENTED WITH A COURT-ORDER
If you have chosen to use a key holder, they may find themselves in a
curious predicament if presented with a court order at some point in
the future. They really don't want to simply hand over your decryption
key, since once it is divulged, it might be used to decrypt more
information than what is required under the court order.
The bill instructs a key holder to provide law enforcement with as
little information as possible, in order to satisfy a warrant request,
while still protecting as much of the key owner's confidentiality as
possible.
The bill accomplishes this by instructing a key owner to attempt to
deliver decrypted communications only for the times specified by the
warrant to law enforcement as a first step. If the key holder is
unable to produce the decrypted communication for law enforcement, only
then, as a last resort, should a key holder relinquish your key.
This allows a key holder to work to protect the confidentiality of your
decryption keys, while still fulfilling both the spirit and letter of
the court order.
DISCOURAGES THE USE OF ENCRYPTION TO THWART A FELONY INVESTIGATION
This is probably the one provision we wouldn't have put in the bill,
were we drafting it. Clearly added to appease law enforcement, it
creates a new crime to "willfully" attempt to thwart a law enforcement
investigation by using encryption. VTW feels that such a crime is
unnecessary, but we're happy to see this is a fairly narrowly-tailored
statute. It only applies to individuals who are engaging in a felony
and using encryption to communicate information while in the commission
of the felony, and whose intent, in using encryption, is to foil a law
enforcement investigation.
If you and a friend are talking with an encrypted phone, and you
mention that you think some mutual friend is cheating on their taxes,
you are not liable under this provision. If you are planning the
Million Man March using encrypted email, and fear that you may be
investigated because your cause in unpopular in some law enforcement
circles, you are not liable because you are not committing a felony,
even though law enforcement may find it annoying that they cannot read
your mail.
This provision only applies to you if you are using encryption to
specifically foil a law enforcement investigation AND the communication
relates to a felony AND you are using the communication to commit the
felony. VTW feels this is a fairly narrowly drawn statute that is not
likely to be easily abused.
Although this bill is the best thing we've seen in Congress on this
issue since ex-Rep. Maria Cantwell's (D-WA) export-of-encryption bill
was introduced to the 103rd Congress two years ago, there are still
some issues in the bill that bear further examination. Let it be
understood that we think the balance of this bill right now will help
the net far more than hurt it and the net should step forward and help
Leahy and Goodlatte in their fight against the Administration over this
issue. Nevertheless, our suggestions for tuning this bill are included
below.
BILL SHOULD INCLUDE AN EXPLICIT SUPPRESSION PROVISION
Although the Fourth Amendment is the law of the land, it is important
to note that it a applies to communications decrypted after an
erroneous warrant has been issued. VTW feels that such a provision
should be enumerated in the bill, just to clarify any concerns a court
might have about such evidence. It is also clear, however, that such a
provision is nearly impossible to obtain in the current Congressional
climate, though we will continue to urge the bill's sponsors to add
it.
THE BILL SHOULD CLEARLY INCLUDE ENCRYPTION PRODUCTS FOR STORED DATA
The bill addresses encryptions products used for wire or oral
communications, per the Electronic Communications Privacy Act. Since
many encryption products are built for just this purpose, it includes
many of them. However, we think it is appropriate to specifically
include products that are used only for encrypting stored data.
THE BILL SHOULD INSTRUCT ESCROW AGENTS TO REPORT DISCLOSURES AS WELL
The bill currently requires law enforcement to notify the Office of the
Courts as to the number of court orders served on key holders and for
what crimes the court orders were obtained. The Office is required to
make this information public annually.
VTW feels that accountability should never be in short supply.
Requiring key holders to notify the Office of the Courts whenever they
are ordered to disclose a key will allow the public yet another way of
making sure that appropriate procedures are being followed to protect
the public.
We suggest an inexpensive reporting method such as registered mail so
as not to burden key holders needlessly. Presumably, when the Office
of the Courts totals up its numbers every year, the number of
disclosures reported by law enforcement will add up to the SAME number
reported by key holders themselves. Should there be a discrepancy, the
public will be grateful for the additional accountability.
NEW CRIMES ARE NEEDED TO DISCOURAGE MISREPRESENTING YOURSELF TO A KEY HOLDER
Currently the bill relies on existing laws that cover police
misrepresentation to punish law enforcement officials that misrepresent
themselves to a key holder with an improper or forged warrant to obtain
a key or a decrypted communication.
The majority of law enforcement officials are good people that would
never consider such an act. Consequently, they should have nothing to
fear from such a statute.
VTW believes that a new statute is needed to dissuade those few
over-zealous law enforcement officials from violating the public's
trust in these matters.
On the whole, we believe that this bill is a win for the Internet
public and Internet businesses that require strong market-driven
cryptography. VTW urges you to become familiar with it and support
Leahy and Goodlatte in their efforts.
________________________________________________________________________
WHAT YOU CAN DO NOW
1. It's crucial that you familiarize yourself with this bill. You can
find links to it at http://www.vtw.org/ If you are an ISP or run a
WWW page, we urge you to place a pointer to the bill on your homepage
or in your message of the day. Here's a sample paragraph you can use:
A bill has been introduced in Congress today that will decontrol
many types of encryption products so they may be sold abroad,
including the world-famous PGP. To learn more about this
legislation, see VTW's home page at http://www.vtw.org/
Please remove this notice after a few days.
2. If you are an Internet Small Business, signon to VTW's Internet Small
Business Coalition at http://www.vtw.org/help/ We'll likely be
assembling a coalition of Internet small businesses in the next few
weeks and will solicit your input on ways of carrying your message to
Congress.
3. Join our vtw-announce mailing list by sending mail to majordomo@vtw.org
or by signing up straight through our WWW page at http://www.vtw.org/.
We'll be following this issue closely in the coming months. Note that
vtw-announce is not a discussion list. It's VTW announcements, with
little repeat content from other sources.
________________________________________________________________________
CHRONOLOGY OF THE 1996 LEAHY/GOODLATTE CRYPTO BILLS
Feb 26, '96 Sen. Leahy (D-VT) and Rep. Goodlatte (R-VA) introduce
the Encrypted Communications Privacy Act. Cosponsoring
this legislation on the Senate side are Sen. Dole (R-KS),
Sen. Pressler (R-SD), Sen. Burns (R-MT), and Sen. Murray
(D-WA). On the House side are the following cosponsors:
Barr (R-GA), Bono (R-CA), Boucher (D-VA), Campbell (R-CA),
Chambliss (R-GA), Coble (R-NC), DeLay (R-TX), Doolittle
(R-CA), Ehlers (R-MI), Engel (D-NY), Eshoo (D-CA),
Everett (R-Al), Ewing (R-IL), Gejdenson (D-CT),
Lofgren (D-CA), Matsui (D-CA), McKeon (R-CA), Mica (R-FL),
Moakley (D-MA), Moorhead (R-CA), Orton (D-UT),
Waldholtz (R-UT)
________________________________________________________________________
A FEW QUESTIONS AND ANSWERS
Q: Does this require, or even urge individuals to use third parties to
hold their decryption keys?
A: No way. You can use the liberal export provisions in this bill with
out ever allowing your keys to leave your "cold dead fingers".
Q: Does this advance the Clinton Administration's Clipper scheme in any way?
A: No, in fact this bill cuts out the very heart of the Clipper program.
The two Clipper programs had the potential to be adopted because Clipper
products were intended to receive preferential export treatment. This
allows the export of non-Clipper products. In the global marketplace,
the Clipper products will not be able to compete. This bill is probably
the final nail in the coffin of the Administration's flawed Clipper
proposals.
Q: Bills change during Congressional deliberation. Could this bill
change in such a way that VTW would no longer support it?
A: Absolutely. In fact, we consider it our mission to monitor the
legislation to ensure that it isn't amended to act against the right
of Internet users and businesses.
Q: Wasn't Goodlatte one of the bad guys on the Communications Decency Act?
Why is he sponsoring this bill, and can we trust him?
A: Goodlatte did indeed introduce the fatal amendment that made the House
version of the Telecomm Bill unsupportable. Nevertheless, VTW has found
that a Congressperson's vote on one sort of bill is little indication of
his or her stand on others. VTW wil closely examine any change in the
language of the bill throughout its Congressional life.
Q: Does this create a requirement for key holders to exist, or for me to
use programs that store keys with third parties?
A: No. The bill affirms your right to use encryption without such a feature,
and if you do use software with such a feature, to self-escrow the keys.
In fact, key holders can exist today.
Q: Does this create a new obligations for key holders to disclose keys that
they wouldn't have to comply with before?
A: No. In fact, this bill makes it harder for a law enforcement official to
retrieve a key from a key holder, by requiring a wiretap request instead
of a simple search warrant.
________________________________________________________________________
PRESS CONTACT INFORMATION
BY EMAIL (if your deadline is more than 24 hours away)
Send mail to vtw@vtw.org with "press deadline" in the subject line if
you are on a deadline.
BY PHONE (if your deadline is in less than 24 hours)
Call 718-596-2851 and follow the directions for contacting Steven Cherry
or Shabbir J. Safdar quickly.
________________________________________________________________________
OUR POLICY ON FINANCIAL DONATIONS
We do not accept unsolicited financial donations for our work. If you
want to help further VTW's work, we urge you to register to vote. Check
the Blue Pages of your local phone book for "Board of Elections". You
should be able to obtain voter registration forms from them.
________________________________________________________________________
Copyright 1994-1996 Voters Telecommunications Watch. Permission is granted
to copy and distribute this document for non-commercial purposes only,
provided that the above banner and this copyright notice appear in all
copies. For other uses, see our Copyright Policy at
http://www.vtw.org/copyright.html
========================================================================